fix: Default Group ID assignment on SSO/OAUTH and LDAP (#19685)

* fix (#99) Co-authored-by: Tim Baek <tim@openwebui.com> Co-authored-by: Claude <noreply@anthropic.com> * Update auths.py * unified logic * PUSH * remove getattr * rem getattr * whitespace * Update oauth.py * trusted header group sync Added default group re-application after trusted header group sync * not apply after syncs * . * rem --------- Co-authored-by: Tim Baek <tim@openwebui.com> Co-authored-by: Claude <noreply@anthropic.com>
2025-12-11 20:05:19 +00:00 · 2025-12-02 22:48:00 +01:00 · 2025-12-02 22:48:00 +01:00 · a49e1d87ad
commit a49e1d87ad
parent 9a65ed2260
3 changed files with 49 additions and 6 deletions
--- a/backend/open_webui/routers/auths.py
+++ b/backend/open_webui/routers/auths.py
@ -65,6 +65,7 @@ from open_webui.utils.auth import (
 )
 from open_webui.utils.webhook import post_webhook
 from open_webui.utils.access_control import get_permissions, has_permission
+from open_webui.utils.groups import apply_default_group_assignment

 from open_webui.utils.redis import get_redis_client
 from open_webui.utils.rate_limit import RateLimiter
@ -417,6 +418,11 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                            500, detail=ERROR_MESSAGES.CREATE_USER_ERROR
                        )

+                    apply_default_group_assignment(
+                        request.app.state.config.DEFAULT_GROUP_ID,
+                        user.id,
+                    )
+
                except HTTPException:
                    raise
                except Exception as err:
@ -465,7 +471,6 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
                ):
                    if ENABLE_LDAP_GROUP_CREATION:
                        Groups.create_groups_by_group_names(user.id, user_groups)
-
                    try:
                        Groups.sync_groups_by_group_names(user.id, user_groups)
                        log.info(
@ -722,9 +727,10 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
                # Disable signup after the first user is created
                request.app.state.config.ENABLE_SIGNUP = False

-            default_group_id = getattr(request.app.state.config, "DEFAULT_GROUP_ID", "")
-            if default_group_id and default_group_id:
-                Groups.add_users_to_group(default_group_id, [user.id])
+            apply_default_group_assignment(
+                request.app.state.config.DEFAULT_GROUP_ID,
+                user.id,
+            )

            return {
                "token": token,
@ -829,7 +835,9 @@ async def signout(request: Request, response: Response):


@router.post("/add", response_model=SigninResponse)
-async def add_user(form_data: AddUserForm, user=Depends(get_admin_user)):
+async def add_user(
+    request: Request, form_data: AddUserForm, user=Depends(get_admin_user)
+):
    if not validate_email_format(form_data.email.lower()):
        raise HTTPException(
            status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT
@ -854,6 +862,11 @@ async def add_user(form_data: AddUserForm, user=Depends(get_admin_user)):
        )

        if user:
+            apply_default_group_assignment(
+                request.app.state.config.DEFAULT_GROUP_ID,
+                user.id,
+            )
+
            token = create_token(data={"id": user.id})
            return {
                "token": token,
--- a/backend/open_webui/utils/groups.py
+++ b/backend/open_webui/utils/groups.py
@ -0,0 +1,24 @@
+import logging
+from open_webui.models.groups import Groups
+
+log = logging.getLogger(__name__)
+
+
+def apply_default_group_assignment(
+    default_group_id: str,
+    user_id: str,
+) -> None:
+    """
+    Apply default group assignment to a user if default_group_id is provided.
+    
+    Args:
+        default_group_id: ID of the default group to add the user to
+        user_id: ID of the user to add to the default group
+    """
+    if default_group_id:
+        try:
+            Groups.add_users_to_group(default_group_id, [user_id])
+        except Exception as e:
+            log.error(
+                f"Failed to add user {user_id} to default group {default_group_id}: {e}"
+            )
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@ -72,6 +72,7 @@ from open_webui.env import (
 from open_webui.utils.misc import parse_duration
 from open_webui.utils.auth import get_password_hash, create_token
 from open_webui.utils.webhook import post_webhook
+from open_webui.utils.groups import apply_default_group_assignment

 from mcp.shared.auth import (
    OAuthClientMetadata as MCPOAuthClientMetadata,
@ -1167,7 +1168,6 @@ class OAuthManager:
                log.debug(
                    f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
                )
-
                Groups.remove_users_from_group(group_model.id, [user.id])

                # In case a group is created, but perms are never assigned to the group by hitting "save"
@ -1478,6 +1478,12 @@ class OAuthManager:
                                "user": user.model_dump_json(exclude_none=True),
                            },
                        )
+
+                    apply_default_group_assignment(
+                        request.app.state.config.DEFAULT_GROUP_ID,
+                        user.id,
+                    )
+
                else:
                    raise HTTPException(
                        status.HTTP_403_FORBIDDEN,